[confcom] Define the format for ACI policy specifications #9262
Conversation
️✔️Azure CLI Extensions Breaking Change Test
|
|
Hi @DomAyre, |
|
Thank you for your contribution! We will review the pull request and get back to you soon. |
|
The git hooks are available for azure-cli and azure-cli-extensions repos. They could help you run required checks before creating the PR. Please sync the latest code with latest dev branch (for azure-cli) or main branch (for azure-cli-extensions). pip install azdev --upgrade
azdev setup -c <your azure-cli repo path> -r <your azure-cli-extensions repo path>
|
|
Hi @DomAyre Release SuggestionsModule: confcom
Notes
|
There was a problem hiding this comment.
Pull Request Overview
Introduces a structured ACI policy specification using Python dataclasses and refactors ARM template policy generation to use new spec-based parsers. Key changes simplify fragment handling, add conversion utilities (ARM/image refs → policy spec), and adjust CLI interfaces (removing deprecated parameters like rego_imports/diff_mode bindings).
- Adds dataclasses (AciPolicySpec & related) and new parsers (arm_to_aci_policy_spec, image_refs_to_aci_policy_spec)
- Refactors load_policy_from_arm_template_str to emit policies via spec conversion
- Adjusts fragment handling and debug exec process insertion; updates CLI plumbing
Reviewed Changes
Copilot reviewed 9 out of 9 changed files in this pull request and generated 10 comments.
Show a summary per file
| File | Description |
|---|---|
| template_util.py | Adds strategy override support for env vars and a helper to aggregate probe exec processes |
| security_policy.py | Rewrites ARM template loading to use spec pipeline; removes legacy params; updates debug exec handling |
| oras_proxy.py | Adjusts default fragment exclusion logic when pulling standalone fragments |
| lib/image_refs_to_aci_policy_spec.py | Adds utility to build a policy spec from image references |
| lib/arm_to_aci_policy_spec.py | Implements ARM→policy spec translation (parameters/variables/env/mounts/probes/securityContext) |
| lib/aci_policy_spec.py | Defines the dataclass-based canonical policy spec schema |
| custom.py | Adapts CLI command to new function signatures and adds diff-mode workaround logic |
| container.py | Prevents duplicate default mounts when injecting standard mounts |
| .gitignore | Ensures lib/ directory (new spec modules) is retained in source control |
Why
As part of #9167 and our ambition to have more modular steps in the policy generation process, it makes sense to have a simple, well defined spec for the JSON which describes the policy to be generated.
I have opted to go with python data classes to define this, it's a python first approach which keeps the code simple, and also allow us to generate docs, json schemas from a single source of truth.
How
AciPolicySpecwhich specifies the format of the json which we use to generate the policyload_policy_from_arm_template_str()to use this parserAciPolicySpecare complete including fields which were previously implicitly added at policy gen time, add some code to avoid duplication of these implicit fields.This checklist is used to make sure that common guidelines for a pull request are followed.
Related command
General Guidelines
azdev style <YOUR_EXT>locally? (pip install azdevrequired)python scripts/ci/test_index.py -qlocally? (pip install wheel==0.30.0required)NOTE: Version is currently already bumped by DomAyre#4 but if that's released before this, we need to bump the version again